HACKER Q&A
📣 bnchrch

Whats State of the art for Code Sandboxing? (2024)


Im curious about running User Submitted code in a way that

* Protects the host system

* Protects the host network

* Lets me constrain allowed URLs

* Lets me constrain run time resources

* Lets me accept more than one language easily.

At a quick glance it seems like theres a healthy balance of recommendations from nested virtualization (QEMU inside a locked down docker host) and WASM (this can imply many architectures).

So HN, if you were to create a sandbox system. What would you reach for?

  👤 geekodour Accepted Answer ✓
I've some examples listed here, might be helpful: https://mogoz.geekodour.org/posts/20221101183016-virtualizat...
👤 OnACoffeeBreak
This is probably not helpful, but, can you figure out the infra of https://godbolt.org/ and follow what they have done?
👤 mdaniel
Much like "security," I think of "sandboxing" as "defense against what"? Because on one end of the spectrum is "system prints hello world, exits" and the other is emulated ... everything, virtual filesystem, virtual network, etc, as one might find in a capture the flag scenario

So, I guess the rest of the owl is: what, if you had a magic wand, would you use such a system to run user submitted code to do?

👤 sabbaticaldev
All browsers offer this sandbox as default use the web